Enable Duo Globally #4498

New Issue

GiteaMirror · 2026-03-07T19:49:49-06:00

GiteaMirror commented

2026-03-07 19:49:49 -06:00

Originally created by @misilot on GitHub (Nov 2, 2020).

Is there a way to enable Duo globally for all users? Duo is smart enough to bypass its checks if the user does not exist. All users we have utilizing the system have duo accounts.

Thank you!

Originally created by @misilot on GitHub (Nov 2, 2020). Is there a way to enable Duo globally for all users? Duo is smart enough to bypass its checks if the user does not exist. All users we have utilizing the system have duo accounts. Thank you!

GiteaMirror added the better for forum question labels 2026-03-07 19:49:49 -06:00

GiteaMirror closed this issue

2026-03-07 19:49:49 -06:00

GiteaMirror commented

2026-03-07 19:49:50 -06:00

@davidjameshowell commented on GitHub (Nov 28, 2020):

I know this is not exactly a fix, but my workaround for my Heroku instance is to manually update the config file with sed and do a replace on the enable bool:

sed_files 's/_enable_duo:            bool,   true,   def,     false;/_enable_duo:            bool,   true,   def,     true;/g' ./${BITWARDEN_RS_FOLDER}/src/config.rs

This just sets that config flag to true since my main account user has Duo enabled.

@davidjameshowell commented on GitHub (Nov 28, 2020): I know this is not exactly a fix, but my workaround for my Heroku instance is to manually update the config file with sed and do a replace on the enable bool: ``` sed_files 's/_enable_duo: bool, true, def, false;/_enable_duo: bool, true, def, true;/g' ./${BITWARDEN_RS_FOLDER}/src/config.rs ``` This just sets that config flag to true since my main account user has Duo enabled.

GiteaMirror commented

2026-03-07 19:49:50 -06:00

@BlackDex commented on GitHub (Jan 31, 2021):

@davidjameshowell & @misilot
Not sure if this is still relevant, but changing that value in the source sounds a bit stupid to me since you can change it at either runtime or during the docker config as an environment variable _ENABLE_DUO=true.

@BlackDex commented on GitHub (Jan 31, 2021): @davidjameshowell & @misilot Not sure if this is still relevant, but changing that value in the source sounds a bit stupid to me since you can change it at either runtime or during the docker config as an environment variable `_ENABLE_DUO=true`.

GiteaMirror commented

2026-03-07 19:49:51 -06:00

@misilot commented on GitHub (Jan 31, 2021):

Hi @BlackDex, I think it is still relevant. As I have _ENABLE_DUO=true and pass in the "Site wide Duo config", but from everything I have seen is users still need to select Duo as their MFA provider. I would like to have Duo be a primary (always on) MFA provider and utilize the upstream config. Since the way Duo works, if the username matches in Duo they are prompted for MFA, otherwise it continues on.

I hope that clarifies what I am looking for with this.

Thanks!

@misilot commented on GitHub (Jan 31, 2021): Hi @BlackDex, I think it is still relevant. As I have ```_ENABLE_DUO=true``` and pass in the "Site wide Duo config", but from everything I have seen is users still need to select Duo as their MFA provider. I would like to have Duo be a primary (always on) MFA provider and utilize the upstream config. Since the way Duo works, if the username matches in Duo they are prompted for MFA, otherwise it continues on. I hope that clarifies what I am looking for with this. Thanks!

GiteaMirror commented

2026-03-07 19:49:51 -06:00

@BlackDex commented on GitHub (Jun 21, 2021):

Well, i'm not sure if this is even possible since users seem to be able to change this config them selfs.
And, globally it can only work for users how are connected to an org. (Which is something vaultwarden doesn't support yet).

Also see: https://bitwarden.com/help/article/setup-two-step-login-duo/

So i think this is not possible, and that we can close this one since we already have a feature requests listed here #246 regarding 2FA for orgs.

@BlackDex commented on GitHub (Jun 21, 2021): Well, i'm not sure if this is even possible since users seem to be able to change this config them selfs. And, globally it can only work for users how are connected to an org. (Which is something vaultwarden doesn't support yet). Also see: https://bitwarden.com/help/article/setup-two-step-login-duo/ So i think this is not possible, and that we can close this one since we already have a feature requests listed here #246 regarding 2FA for orgs.

GiteaMirror commented

2026-03-07 19:49:52 -06:00

@bbrendon commented on GitHub (Jun 21, 2021):

It's possible to enable it globally. I'm not sure if it's possible to require it globally though.

@bbrendon commented on GitHub (Jun 21, 2021): It's possible to enable it globally. I'm not sure if it's possible to require it globally though.

GiteaMirror commented

2026-03-07 19:49:52 -06:00

@misilot commented on GitHub (Jun 21, 2021):

It can be, but users can change the settings (well they have to enable first as well for themselves).

Duo can be setup to bypass users who don't have an account, so it would be great if the duo settings could be enforced system wide, and let Duo handle showing or not.

@misilot commented on GitHub (Jun 21, 2021): It can be, but users can change the settings (well they have to enable first as well for themselves). Duo can be setup to bypass users who don't have an account, so it would be great if the duo settings could be enforced system wide, and let Duo handle showing or not.

GiteaMirror commented

2026-03-07 19:49:53 -06:00

@BlackDex commented on GitHub (Jun 21, 2021):

Well, i can put it on the meta features list #246 so that if someone Wants to help they can see this request over there.

Though i think this would be more a feature for orgs, and that is still a feature missing. Instead of forcing this for all users, also not part of an org as you are suggesting.

@BlackDex commented on GitHub (Jun 21, 2021): Well, i can put it on the meta features list #246 so that if someone Wants to help they can see this request over there. Though i think this would be more a feature for orgs, and that is still a feature missing. Instead of forcing this for all users, also not part of an org as you are suggesting.

GiteaMirror commented

2026-03-07 19:49:53 -06:00

@BlackDex commented on GitHub (Jun 22, 2021):

To clarify, i understand that DUO supports an always on and skip if no account exists, but that is not how it's implemented within Bitwarden, and thus also not Vaultwarden.

Bitwarden has a way to enforce MFA for all users within an organization via DUO, this feature isn't in Vaultwarden as of yet (Though there is an PR #1604 which is pending a review/changes).

Having this forced for all users not even within that org is currently not how Bitwarden works, so i'm not sure if we want to do this and if that could break stuff.

@BlackDex commented on GitHub (Jun 22, 2021): To clarify, i understand that DUO supports an always on and skip if no account exists, but that is not how it's implemented within Bitwarden, and thus also not Vaultwarden. Bitwarden has a way to enforce MFA for all users within an organization via DUO, this feature isn't in Vaultwarden as of yet (Though there is an PR #1604 which is pending a review/changes). Having this forced for all users not even within that org is currently not how Bitwarden works, so i'm not sure if we want to do this and if that could break stuff.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#4498